1. Copyright © 2005 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License. The OWASP Foundation OWASP AppSec DC October 2005 http://www.owasp.org/ Integrating Identity Services into Web Apps Gunnar Peterson CTO, Arctec Group gunnar@arctecgroup.net

2. OWASP AppSec DC 2005 2 Identity is under attack  Identity risks  Anti-Phishing Working Group July report of 14,135 phishing reports excerpt  Number of brands hijacked by phishing campaigns in July: 71  Number of brands comprising the top 80% of phishing campaigns in July: 6  Country hosting the most phishing websites in July: United States  Contain some form of target name in URL: 46 %  No hostname just IP address: 41 %  Percentage of sites not using port 80: 9 %  Average time online for site: 5.9 days  Longest time online for site: 30 days  Key finding: study found 174 unique applications for password stealing, and 918 unique password stealing malicious URLs

3. OWASP AppSec DC 2005 3 Identity is under attack (cont.)  Identity risks (cont.)  Publicly reported data breaches since the Choicepoint incident (2/15/05) http://www.privacyrights.org/ar/ChronDataBreaches.htm http://www.privacyrights.org/ar/ChronDataBreaches.htm  Over 50 million personal information records stolen including (very abbreviated list) –Bank of America 1.2 million (lost backup tape) –San Jose Med. Group 185,000 (stolen computer) –Wachovia 676,000 (dishonest insider) –Dept of Justice 80,000 (stolen laptop) –Univ of Utah 100,000 (hacking) –Lucas County Children Services 900 (exposed by email) –Merlin Data Services 9,000 (Bogus account setup) –Lexis Nexis 280,000 (password compromised)  The world is flat: identity attacks target identity data wherever it is found - small companies, big companies, government, non-profit, educational institutions, home users.

4. OWASP AppSec DC 2005 4 Understanding Identity  Foundations of Identity  Subjects  Claims  Claims about subjects are evaluated to negotiate access

5. OWASP AppSec DC 2005 5 The Laws of Identity  Codified on Identityblog.com  Why do we need laws to deal with identity?

6. OWASP AppSec DC 2005 6 The Laws of Identity -- identityblog.com  1. User control and consent: Technical identity systems must only reveal information identifying a user with the user's consent  2. Minimal disclosure for a constrained use: The solution that discloses the least amount of identifying information and best limits its use is the most stable long-term solution.  3. Justifiable parties: Digital identity systems must be designed so the disclosure of identifying information is limited to parties having a necessary and justifiable place in a given identity relationship  4. Directed Identity: A universal identity system must support both "omni-directional" identifiers for use by public entities and "unidirectional" identifiers for use by private entities, thus facilitating discovery while preventing unnecessary release of correlation handles

7. OWASP AppSec DC 2005 7 The Laws of Identity -- identityblog.com (cont.)  5. Pluralism of operators and technologies: A universal identity system must channel and enable the inter-working of multiple identity technologies run by multiple identity providers.  6. Human integration: The universal identity metasystem must define the human user to be a component of the distributed system integrated through unambiguous human-machine communication mechanisms offering protection against identity attacks  7. Consistent experience across contexts: t he unifying identity metasystem must guarantee its users a simple, consistent experience while enabling separation of contexts through multiple operators and technologies.

8. OWASP AppSec DC 2005 8 Architecting Identity  Identity Lifecycle  Generation  Representation  Consumption Usage  Transformation  Identity architectural concerns  Access control  Regulatory and legal  Privacy  Personalization  Domain attributes  Provisioning  Audit and reporting  Identity mapping services  Concerns can conflict and cascade

9. OWASP AppSec DC 2005 9 Architecting Identity  Risk examples  Promiscuous identity - Identity information leakage across domains  Disclosure of personal information  Overall vulnerabilities in weak identity implementations: custom coded identity layers and functions, username and password, password recovery  Phishing  User knowledge  Offline combination of personal information - data mining  Lack of full lifecycle protection of identity information  Lack of consistent usage of identity in distributed systems - inherent tradeoffs in using proxies, impersonation, delegation, etc.  Weaknesses in identity cascade across system - developers are instructed not to write their own crypto algorithms, but home grown identity system “protect” the crypto functionality

10. OWASP AppSec DC 2005 10 Impersonation & Delegation Bob Web Server Charlie App Server DB Server Alice Thin Client Bob Web Server Charlie App Server DB Server Alice Thin Client Alice Bob Charlie Impersonation Delegation Alice Review “Security Design Patterns” by Blakley & Heath for a full treatment of options

11. OWASP AppSec DC 2005 11 Security Domain Federated Identity Security Domain Federation User Store Alice App Red Fed Server Green Fed Server App/ Resources Standards support and emerging toolsets and vendor support in Federation space: SAML, WS-Federation, Liberty

12. OWASP AppSec DC 2005 12 Alice in Identityland  Problems in distributed systems are that the identity silos do not reflect the security context of the transaction Silo Bob Web Server Charlie App Server DB Server Alice Thin Client Identity Silos are tightly coupled

13. OWASP AppSec DC 2005 13 Alice in Identityland  Use an Identity Abstraction Layer to facilitate interoperability, security, and loose coupling Silo Bob Web Server Charlie App Server DB Server Alice Thin Client Identity Abstraction Layer Support query, update, attribution Standards and vendor/tool support emerging: WS-Trust for security token exchange, creation, and validation for SAML, Kerberos, Username/pwd, X.509 SAML KerbX.509

14. OWASP AppSec DC 2005 14 Identity Abstraction Layer  Identity Runtime Services:  Abstract identity implementation details from interface  Authoritative source for identity data  Reporting services:  Audit, logging, reporting  Differentiate between runtime services and provisioning

15. OWASP AppSec DC 2005 15 Identity Abstraction Layer  Goals  Abstract back end systems, similar to how a data access layer works in n tier systems  Use strong identity standards for interoperability across domains  Service oriented focus: decouple identity from systems  Functions  Access control  Naming services  Checkpoint services  Common descriptor format  Consistent interface, api, and data exchange format for accessing and updating identity data

16. OWASP AppSec DC 2005 16 Guarding the Keys to the Kingdom  Hardening identity servers and services  Design for failure  Usability  Incident response  Assurance  Availability

17. OWASP AppSec DC 2005 17 Project Roles  Identity architect: identity system architecture and implementation  Application architect: responsible for application requirements  Developer: writes code (and unit tests) but should not be writing custom crypto, password recovery, and provisioning systems

18. OWASP AppSec DC 2005 18 Where to go from here  OWASP Guide  Build Security In DHS Portal  https://buildsecurityin.us- cert.gov/portal/article/bestpractices/assembly_integration_and_evolution/Identity_in_Assembly_and_Integration.xml https://buildsecurityin.us- cert.gov/portal/article/bestpractices/assembly_integration_and_evolution/Identity_in_Assembly_and_Integration.xml  Blogosphere  Identityblog identityblog.com  Id Corner idcorner.org  Open Group  Jericho Forum focused on deperimeterization  http://www.opengroup.org/jerichoforum http://www.opengroup.org/jerichoforum  Security Design Patterns:  http://www.opengroup.org/bookstore/catalog/g031.htm http://www.opengroup.org/bookstore/catalog/g031.htm